diff --git a/horilla_api/api_views/attendance/views.py b/horilla_api/api_views/attendance/views.py index 6c9699f5c..89b6ec53f 100644 --- a/horilla_api/api_views/attendance/views.py +++ b/horilla_api/api_views/attendance/views.py @@ -233,7 +233,8 @@ class AttendanceView(APIView): "error": [ "Attendance for this employee on the current date already exists." ] - } + }, + status=400, ) return Response(serializer.errors, status=400) diff --git a/horilla_api/api_views/base/views.py b/horilla_api/api_views/base/views.py index ea522cd77..48b7c92e8 100644 --- a/horilla_api/api_views/base/views.py +++ b/horilla_api/api_views/base/views.py @@ -539,9 +539,23 @@ class RotatingWorkTypeAssignView(APIView): filterset_class = RotatingWorkTypeAssignFilter permission_classes = [IsAuthenticated] + def _permission_check(self, request, obj=None, pk=None): + if pk: + employee = request.user.employee_get + manager = obj.employee_id.get_reporting_manager() + if ( + employee == obj.employee_id + or manager == employee + or request.user.has_perm("base.view_rotatingworktypeassign") + ): + return True + return False + @manager_permission_required("base.view_rotatingworktypeassign") def get(self, request, pk=None): + if pk: + rotating_work_type_assign = object_check(RotatingWorkTypeAssign, pk) if rotating_work_type_assign is None: return Response( @@ -1276,8 +1290,6 @@ class EmployeeTabPermissionCheck(APIView): class CheckUserLevel(APIView): def get(self, request): perm = request.GET.get("perm") - instance = Employee.objects.filter(id=request.GET.get("employee_id")).first() - if _is_reportingmanger(request, instance) or request.user.has_perm(perm): - + if request.user.has_perm(perm): return Response(status=200) return Response({"error": "No permission"}, status=400) diff --git a/horilla_api/api_views/employee/views.py b/horilla_api/api_views/employee/views.py index 83cc0ab0c..7c4004437 100644 --- a/horilla_api/api_views/employee/views.py +++ b/horilla_api/api_views/employee/views.py @@ -50,6 +50,10 @@ from ...api_serializers.employee.serializers import ( ) +def permission_check(request, perm): + return request.user.has_perm(perm) + + def object_check(cls, pk): try: obj = cls.objects.get(id=pk) @@ -440,6 +444,8 @@ class ActiontypeView(APIView): return paginater.get_paginated_response(serializer.data) def post(self, request): + if permission_check(request, "employee.add_actiontype") is False: + return Response({"error": "No permission"}, status=401) serializer = self.serializer_class(data=request.data) if serializer.is_valid(): serializer.save() @@ -447,6 +453,8 @@ class ActiontypeView(APIView): return Response(serializer.errors, status=400) def put(self, request, pk): + if permission_check(request, "employee.change_actiontype") is False: + return Response({"error": "No permission"}, status=401) action_type = object_check(Actiontype, pk) if action_type is None: return Response({"error": "Actiontype not found"}, status=404) @@ -457,6 +465,8 @@ class ActiontypeView(APIView): return Response(serializer.errors, status=400) def delete(self, request, pk): + if permission_check(request, "employee.delete_actiontype") is False: + return Response({"error": "No permission"}, status=401) action_type = object_check(Actiontype, pk) if action_type is None: return Response({"error": "Actiontype not found"}, status=404) @@ -544,6 +554,8 @@ class DisciplinaryActionAPIView(APIView): return paginator.get_paginated_response(serializer.data) def post(self, request): + if permission_check(request, "employee.add_disciplinaryaction") is False: + return Response({"error": "No permission"}, status=401) serializer = DisciplinaryActionSerializer(data=request.data) if serializer.is_valid(): serializer.save() @@ -551,6 +563,8 @@ class DisciplinaryActionAPIView(APIView): return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) def put(self, request, pk): + if permission_check(request, "employee.add_disciplinaryaction") is False: + return Response({"error": "No permission"}, status=401) disciplinary_action = self.get_object(pk) serializer = DisciplinaryActionSerializer( disciplinary_action, data=request.data @@ -561,6 +575,8 @@ class DisciplinaryActionAPIView(APIView): return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST) def delete(self, request, pk): + if permission_check(request, "employee.add_disciplinaryaction") is False: + return Response({"error": "No permission"}, status=401) disciplinary_action = self.get_object(pk) disciplinary_action.delete() return Response(status=status.HTTP_204_NO_CONTENT) @@ -613,6 +629,9 @@ class PolicyAPIView(APIView): return paginator.get_paginated_response(serializer.data) def post(self, request): + if permission_check(request, "employee.add_policy") is False: + return Response({"error": "No permission"}, status=401) + serializer = PolicySerializer(data=request.data) if serializer.is_valid(): serializer.save() @@ -620,6 +639,8 @@ class PolicyAPIView(APIView): return Response(serializer.errors, status=400) def put(self, request, pk): + if permission_check(request, "employee.change_policy") is False: + return Response({"error": "No permission"}, status=401) policy = self.get_object(pk) serializer = PolicySerializer(policy, data=request.data) if serializer.is_valid(): @@ -628,6 +649,8 @@ class PolicyAPIView(APIView): return Response(serializer.errors, status=400) def delete(self, request, pk): + if permission_check(request, "employee.delete_policy") is False: + return Response({"error": "No permission"}, status=401) policy = self.get_object(pk) policy.delete() return Response(status=204)